I wish to covert my PGP key (RSA) to be used performing SSH authentication. After some searching, I found openpgp2ssh, which appears to be an appropriate tool. Everything works swimmingly for my pubkey:

My secret key is indeed encrypted. I'd ideally like a method to convert my PGP secret key into data that standard SSH programs can understand, instead of relying on nonstandard plugins. Is this possible?

I sent them an email about this thread, maybe they'll epand upon the error message.
– Jeff BurdgesDec 12 '11 at 7:28

1

@tylerl - How is it like that? Both the PGP secret and the SSH secret are only going to be deployed in trusted environments (usually the same ones). It makes it no easier by itself to decrypt the private key of either. It doesn't become a single point of weakness since they are encrypted with different passphrases and different encryption methods.
– Chris DownDec 15 '11 at 7:57

1

@tylerl The point of this is that monkeysphere uses the PGP Web Of Trust, such that a server admin can theoretically grant you SSH access via your OpenPGP public key without having to exchange a SSH key first (probably in a OpenPGP encrypted message anyway...)
– Tobias KienzlerNov 9 '12 at 7:36

If you can propose a clearer one-line error message, or an improvement to the man page so that you could have found your answer in the documentation easier, we'd be happy to improve the tool. Drop us a line at monkeysphere@lists.riseup.net. I don't think any of the current devs follow stackexchange closely at the moment, so the mailing list is a better way to get in touch.

My issue wasn't with the bug itself, it was how best to work around it. Isn't it possible to get the user to give the password, decrypt the key, convert it, and then reencrypt with the same details? Maybe I only see that as possible because of my naivety in areas of cryptography?
– Chris DownDec 15 '11 at 7:34

In GnuPG 2.1 and recent version of openSSH there is support for ED25519. Is possible to do the same for this kind of keys?
– RnhmjojNov 19 '14 at 22:36

There would be no point in converting a public key if nobody can convert the private key too, meaning this program was created with such a conversion process in mind. You'll notice the error message reads "We cannot handle encrypted secret keys."

I therefore recommend you remove the private key's password using the passwd command in gpg --edit-key. You should obviously reencrypt both the old gpg private key and the new ssh private key after conversion.

If you're worried about unencrypted key remaining on the drive, then create either an encrypted partition using encfs, truecrypt, etc., or else create a ramdisk. You should keep the ramdisk small and short lived to prevent the kernel from swapping it, well unless you find some trick for calling mlock. Any cryptographic file systems should already mlock their data pages.

In theory, your private key has been written onto your hard drive gpg --edit-key "$key" and .. | openpgp2ssh "$key" > ~/.ssh/id_rsa, maybe those sectors were overwritten later, but maybe not. You should ideally have created the intermediate unencrypted keys in either a ramdisk or an encrypted partition. I'd expect ordinary activity like locatedb, syslog, browser cache, etc. should whip them out soonish, just say'n.
– Jeff BurdgesDec 10 '11 at 7:08

@JeffBurdges A good point, but this was all done in T(A)ILS, so there is no risk of that.
– Chris DownDec 10 '11 at 12:13